Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential stopgap solution to removing remote quarantined media #184

Closed
turt2live opened this issue Jul 9, 2019 · 1 comment
Closed

Potential stopgap solution to removing remote quarantined media #184

turt2live opened this issue Jul 9, 2019 · 1 comment
Labels
antispam enhancement no matrix spec security

Comments

@turt2live
Copy link
Member

It sucks that remote media which has been subsequently quarantined/removed by the host is still cached on our end. Until Matrix truly federates media, we can plug the gap by using Matrix itself or on top of the media repo stack:

Possible solution 1: Fill a room with hashes to quarantine

Bots operated by the media repo would join a collective room set in the config and advertise their quarantined media there when it happens. It would only contain the hashes to avoid media IDs being discovered. The media repos listening in the room would search their records for that hash and quarantine it if needed.

To ensure that someone can't just pump hashes into the room, we could require the media repo be configured with a signing key (#118) and sign a specific media object off the repo (eg: mxc://example.org/media_repo_signature). The signature should allow for multiple homeservers to sign, giving a single user ID control over several homeservers worth of media (and also not requiring that an account be provisioned per homeserver). The media repos would use the signature to only quarantine/delete media from that host (honouring the deletion request).

Advantages:

  • Global "ban" list
  • Historical record of hashes to avoid in the future

Disadvantages:

  • Spammy
  • Requires a signing key
  • Centralized (you only quarantine media if you're part of the cool kids in the room)

Possible solution 2: Fill a room, but have repos subscribe instead

Instead of signing some objects and gathering into a room, a custom API or media object could be used to advertise a room which other media repos should join to quarantine media. For example, if mxc://example.org/media_repo_quarantine_feed pointed to !abcdef:example.org, then any hashes in !abcdef:example.org could be quarantined/deleted if posted for example.org.

Advantages:

  • Media repo gets to control where people get pointed to (they could fork the ban list off to a larger homeserver which is capable of handling multiple parties in the room)
  • Doesn't involve complicated setup from an admin

Disadvantages:

  • Historical record could be lost (admin changes room permissions, or changes the room ID entirely)
  • If the room is invite only, the media repo is unable to quarantine the host's media (maybe this is a feature though? It's mostly not, but it could be?)
  • Not reliant on a giant room

Possible solution 3: Polling

The media repo could poll the media and/or a well-specified hash listing to quarantine/delete media from.

Advantages:

  • Super simple to add

Disadvantages:

  • Polling
@turt2live turt2live added this to the v1.0.0 milestone Jul 9, 2019
@turt2live turt2live modified the milestones: v1.0.0, v1.1.0 Sep 5, 2019
@turt2live turt2live removed this from the v1.3.0 milestone Feb 12, 2023
@turt2live
Copy link
Member Author

There are legal issues with hashlists that this project can't take on at the moment. Closing until MSCs exist for this area.

@turt2live turt2live closed this as not planned Won't fix, can't repro, duplicate, stale Aug 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
antispam enhancement no matrix spec security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@turt2live